Fix insufficient length validation in IPv4 packets.

Found via cargo-fuzz.
This commit is contained in:
whitequark 2017-10-02 23:03:41 +00:00
parent f60e689b04
commit cf986bf20b
1 changed files with 18 additions and 6 deletions

View File

@ -119,19 +119,21 @@ impl<T: AsRef<[u8]>> Packet<T> {
/// Ensure that no accessor method will panic if called.
/// Returns `Err(Error::Truncated)` if the buffer is too short.
///
/// The result of this check is invalidated by calling [set_header_len].
/// The result of this check is invalidated by calling [set_header_len]
/// and [set_total_len].
///
/// [set_header_len]: #method.set_header_len
/// [set_total_len]: #method.set_total_len
pub fn check_len(&self) -> Result<()> {
let len = self.buffer.as_ref().len();
if len < field::DST_ADDR.end {
Err(Error::Truncated)
} else if len < self.header_len() as usize {
Err(Error::Truncated)
} else if len < self.total_len() as usize {
Err(Error::Truncated)
} else {
if len < self.header_len() as usize {
Err(Error::Truncated)
} else {
Ok(())
}
Ok(())
}
}
@ -634,6 +636,16 @@ mod test {
PAYLOAD_BYTES.len());
}
#[test]
fn test_total_len_overflow() {
let mut bytes = vec![];
bytes.extend(&PACKET_BYTES[..]);
Packet::new(&mut bytes).set_total_len(128);
assert_eq!(Packet::new_checked(&bytes).unwrap_err(),
Error::Truncated);
}
static REPR_PACKET_BYTES: [u8; 24] =
[0x45, 0x00, 0x00, 0x18,
0x00, 0x00, 0x40, 0x00,